You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
ImageOptimizer is vulnerable to PHAR deserialization due to a lack of checking the input before passing it into the file_exists() function. If an attacker can upload files of any type to the server, he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when ImageOptimizer is used with frameworks with documented POP chains like Laravel / vulnerable developer code. Proof of Concept
Setup the following code in /var/www/html: vuln.php represents our use of ImageOptimizer functions and phar-poc.php represents code with a vulnerable POP chain.
As an attacker, we generate our PHAR payload using the following exploit script:
Generate with:
and execute vuln.php with php vuln.php, you should see whoami being executed
Note that after generating the PHAR exploit code, an attacker can rename it to whatever extension or filename they want, it is possible to rename it test.phar to test.png to bypass any file extension check by the developer and specify phar://test.png in the $pathToImage.
Impact
This vulnerability is capable of remote code execution if ImageOptimizer is used with frameworks or developer code with vulnerable POP chains.
Recommended Fix:
Filter the phar:// protocol.
The text was updated successfully, but these errors were encountered:
Description
ImageOptimizer is vulnerable to PHAR deserialization due to a lack of checking the input before passing it into the file_exists() function. If an attacker can upload files of any type to the server, he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when ImageOptimizer is used with frameworks with documented POP chains like Laravel / vulnerable developer code.
Proof of Concept
Setup the following code in /var/www/html: vuln.php represents our use of ImageOptimizer functions and phar-poc.php represents code with a vulnerable POP chain.
As an attacker, we generate our PHAR payload using the following exploit script:
Generate with:
and execute vuln.php with php vuln.php, you should see whoami being executed
Note that after generating the PHAR exploit code, an attacker can rename it to whatever extension or filename they want, it is possible to rename it test.phar to test.png to bypass any file extension check by the developer and specify phar://test.png in the $pathToImage.
Impact
This vulnerability is capable of remote code execution if ImageOptimizer is used with frameworks or developer code with vulnerable POP chains.
Recommended Fix:
Filter the phar:// protocol.
The text was updated successfully, but these errors were encountered: